Splunk® Enterprise

REST API Reference Manual

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Knowledge endpoint descriptions

Work with searches and other knowledge objects.

  • Define data configurations indexed and searched by the Splunk platform.
  • Manage how data is handled, using look-ups, field extractions, field aliases, sourcetypes, and transforms.
  • Manage saved event types.
  • Manage search field configurations and search time tags.

Usage details

Review ACL information for an endpoint

To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.

Authentication and Authorization

Username and password authentication is required for access to endpoints and REST operations.

Splunk users must have role and/or capability-based authorization to use REST endpoints. Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles.

App and user context

Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.

Splunk Cloud URL for REST API access

Splunk Cloud has a different host and management port syntax than Splunk Enterprise. Use the following URL for Splunk Cloud deployments. If necessary, submit a support case using the Splunk Support Portal to open port 8089 on your deployment.

https://<deployment-name>.splunkcloud.com:8089

Free trial Splunk Cloud accounts cannot access the REST API.

See Using the REST API in Splunk Cloud in the the Splunk REST API Tutorials for more information.



admin/summarization

https://<host>:<mPort>/services/admin/summarization/

Get aggregated details about all accelerated data model summaries.

Authentication and authorization
Authorization to access data model acceleration information is role-based.


GET

Get a list of field:value pairs that provide details about accelerated data models and their summaries.

Request parameters
None.

Returned values

Name Description
search The data models, represented as search strings.
summary.access_count The total number of times that the summary for each data model has been accessed.
summary.access_time The last time that the summary of each data model was accessed.
summary.buckets The total number of buckets in the summaries of each data model.
summary.buckets_size The total size of the buckets in the summaries of each data model. The size is reported in terms of megabytes (MB).
summary.complete Reports whether or not the summaries for each data model are complete.
summary.earliest_time The timestamp of the earliest event in the summaries for each data model.
summary.id The ID of the data models being summarized. The format is DM_<app_name>_<data_model_ID>.
summary.is_inprogress Indicates whether or not the summary build is currently in progress for each data model.
summary.last_error Lists errors that were logged in the latest run (from last_sid) of the summary creation search.
summary.last_sid The SID of the latest creation search job for each data model summary.
summary.latest_time The timestamp of the latest events in each data model summary.
summary.mod_time The last time each data model summary was modified.
summary.size The total size of each summary, in bytes.
summary.time_range The range of time covered by each summary.

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/services/admin/summarization/?by_tstats=1

XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>summarization</title>
  <id>https://localhost:8089/services/admin/summarization</id>
  <updated>2015-06-01T15:21:20-07:00</updated>
  <generator build="e343948e242181aa7b94257ede83830605c853d9" version="20150526"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/summarization/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>tstats:DM_search_mydatamodel</title>
    <id>https://localhost:8089/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel</id>
    <updated>2015-06-01T15:21:20-07:00</updated>
    <link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel" rel="list"/>
    <link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel" rel="remove"/>
    <link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel/details" rel="details"/>
    <link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel/reschedule" rel="reschedule"/>
    <link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel/touch" rel="touch"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms"/>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">user</s:key>
          </s:dict>
        </s:key>
        <s:key name="search"><![CDATA[search search (index=* OR index=_*) (index=_internal) | eval nodename = "rootevent"| eval is_Age=if(searchmatch("(avg_age)"),1,0), is_not_Age=1-is_Age | eval nodename = if(nodename == "rootevent" AND searchmatch("(avg_age)"), mvappend(nodename, "rootevent.Age"), nodename) | rename abandoned_channels AS rootevent.abandoned_channels average_kbps AS rootevent.average_kbps avg_age AS rootevent.avg_age bytes AS rootevent.bytes clientip AS rootevent.clientip color AS rootevent.color component AS rootevent.component cookie AS rootevent.cookie cpu_seconds AS rootevent.cpu_seconds cumulative_hits AS rootevent.cumulative_hits current_queue_size AS rootevent.current_queue_size current_size AS rootevent.current_size current_size_kb AS rootevent.current_size_kb date_hour AS rootevent.date_hour is_Age AS rootevent.is_Age is_not_Age AS rootevent.is_not_Age | fields nodename, _time, host, source, sourcetype, rootevent.abandoned_channels, rootevent.average_kbps, rootevent.avg_age, rootevent.bytes, rootevent.clientip, rootevent.color, rootevent.component, rootevent.cookie, rootevent.cpu_seconds, rootevent.cumulative_hits, rootevent.current_queue_size, rootevent.current_size, rootevent.current_size_kb, rootevent.date_hour, rootevent.is_Age, rootevent.is_not_Age]]></s:key>
        <s:key name="summary.access_count">0</s:key>
        <s:key name="summary.access_time">0</s:key>
        <s:key name="summary.buckets">22</s:key>
        <s:key name="summary.buckets_size">273</s:key>
        <s:key name="summary.complete">1.000000</s:key>
        <s:key name="summary.earliest_time">1432174156</s:key>
        <s:key name="summary.id">DM_search_mydatamodel</s:key>
        <s:key name="summary.is_inprogress">0</s:key>
        <s:key name="summary.last_error"></s:key>
        <s:key name="summary.last_sid">scheduler__nobody__search__RMD5692d85674596d683_at_1433197200_18815</s:key>
        <s:key name="summary.latest_time">1432684089</s:key>
        <s:key name="summary.mod_time">1433196908</s:key>
        <s:key name="summary.size">61153280</s:key>
        <s:key name="summary.time_range">604800</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



admin/summarization/tstats:DM_{app}_{data_model_ID}

https://<host>:<mPort>/services/admin/summarization/tstats:DM_{app}_{data_model_ID}

Review information about the summaries of a specific data model. Identify specific data models by providing their app short name and their data model ID.

Authentication and authorization
Authorization to access data model acceleration information is role-based.

GET

Get detailed information about the acceleration summaries of a specific datamodel. See statistics about data model usage and information about the latest summary creation run.

Request parameters

Name Type Default Description
app
required
string The short name of the app to which thie data set belongs.
data model ID
required
string The ID of the data model.


Returned values

Name Description
search The data model, represented as a search string.
summary.access_count The total number of times that the summary for this data model has been accessed.
summary.access_time The last time that the summary of this data model was accessed.
summary.buckets The total number of buckets in the summary of this data model.
summary.buckets_size The total size of the buckets in the summary of this data model. The size is reported in terms of megabytes (MB).
summary.complete Reports whether or not the summary for the data model are complete.
summary.earliest_time The timestamp of the earliest event in the summary for this data model.
summary.id The ID of the data model being summarized. The format is DM_<app_name>_<data_model_ID>.
summary.is_inprogress Indicates whether or not the data model summary build is currently in progress.
summary.last_error Lists errors that were logged in the latest run (from last_sid) of the summary creation search.
summary.last_sid The SID of the latest data model summary creation search job.
summary.latest_time The timestamp of the latest event in the data model summary.
summary.mod_time The last time the data model summary was modified.
summary.size The total size of the summary, in bytes.
summary.time_range The range of time covered by the summary.

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/admin/summarization/tstats:DM_search_test_new_accel

XML Response

...
<title>summarization</title>
<id>https://localhost:1413/servicesNS/nobody/search/admin/summarization</id>
<updated>2019-08-13T14:58:12-07:00</updated>
<generator build="2ec8251a07e11294725aa6800463f8a975e18641" version="20190809"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>tstats:DM_search_test_new_accel</title>
<id>https://localhost:1413/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_test_new_accel</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_test_new_accel" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_test_new_accel" rel="list"/>
<link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_test_new_accel" rel="remove"/>
<link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_test_new_accel/details" rel="details"/>
<link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_test_new_accel/reschedule" rel="reschedule"/>
<link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_test_new_accel/touch" rel="touch"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms"/>
<s:key name="removable">0</s:key>
<s:key name="sharing">user</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>isProxyRequest</s:item>
<s:item>noProxy</s:item>
<s:item>time_format</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="search">search search (index=* OR index=_*) (index=_internal date_second=31) | eval nodename = "test" | fields nodename, _time, host, source, sourcetype</s:key>
<s:key name="summary.access_count">0</s:key>
<s:key name="summary.access_time">0</s:key>
<s:key name="summary.average_time">3.028</s:key>
<s:key name="summary.buckets">11</s:key>
<s:key name="summary.buckets_size">461</s:key>
<s:key name="summary.complete">1</s:key>
<s:key name="summary.earliest_time">1565398764</s:key>
<s:key name="summary.id">DM_search_test_new_accel</s:key>
<s:key name="summary.is_inprogress">0</s:key>
<s:key name="summary.last_error">[ronnie.sv.splunk.com] A second test error message just because.
[ronnie.sv.splunk.com] Test error message in remote server.</s:key>
<s:key name="summary.last_sid">scheduler__nobody__search__RMD5837da1d4b8a764d1_at_1565733480_379</s:key>
<s:key name="summary.latest_dispatch_time">1565733481</s:key>
<s:key name="summary.latest_run_duration">5.691</s:key>
<s:key name="summary.latest_time">1565730106</s:key>
<s:key name="summary.mod_time">1565733421</s:key>
<s:key name="summary.p50">1.287</s:key>
<s:key name="summary.p90">5.859</s:key>
<s:key name="summary.run_stats">
<s:dict>
<s:key name="1565730661">
<s:dict>
<s:key name="dispatch_time">1565730661</s:key>
<s:key name="run_duration">0.357</s:key>
</s:dict>
</s:key>
<s:key name="1565730721">
<s:dict>
<s:key name="dispatch_time">1565730721</s:key>
<s:key name="run_duration">0.240</s:key>
</s:dict>
</s:key>
<s:key name="1565730780">
<s:dict>
<s:key name="dispatch_time">1565730780</s:key>
<s:key name="run_duration">0.253</s:key>
</s:dict>
</s:key>
<s:key name="1565730840">
<s:dict>
<s:key name="dispatch_time">1565730840</s:key>
<s:key name="run_duration">0.247</s:key>
</s:dict>
</s:key>
<s:key name="1565730900">
<s:dict>
<s:key name="dispatch_time">1565730900</s:key>
<s:key name="run_duration">0.233</s:key>
</s:dict>
</s:key>
<s:key name="1565730960">
<s:dict>
<s:key name="dispatch_time">1565730960</s:key>
<s:key name="run_duration">0.266</s:key>
</s:dict>
</s:key>
<s:key name="1565731020">
<s:dict>
<s:key name="dispatch_time">1565731020</s:key>
<s:key name="run_duration">0.268</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="summary.size">614400</s:key>
<s:key name="summary.time_range">86400</s:key>
</s:dict>
</content>
</entry>
</feed>



data/lookup-table-files

https://<host>:<mPort>/services/data/lookup-table-files


Access lookup table files.

GET

List lookup table files.


Request parameters

Pagination and filtering parameters can be used with this method.


Returned values

Name Description
eai:appName The app for which the lookup table applies.
eai:data The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName The Splunk user who created the lookup table.

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files

XML Response

...
 <title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T19:26:11-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>lookup.csv</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
    <updated>2011-07-21T19:26:11-07:00</updated>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl nodes elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]>        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Create a lookup table file by moving a file from the upload staging area into $SPLUNK_HOME.


Request parameters

Name Type Default Description
eai:data
required
String Move a lookup table file from the given path into $SPLUNK_HOME. This path must have the lookup staging area as an ancestor.
name
required
String The lookup table filename.


Returned values

Name Description
eai:appName The app for which the lookup table applies.
eai:data The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName The Splunk user who created the lookup table.

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/lookup-in-staging-dir.csv -d name=lookup.csv

XML Response

...
<title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T18:26:35-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>lookup.csv</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
    <updated>2011-07-21T18:26:35-07:00</updated>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]>        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/lookup-table-files/{name}

https://<host>:<mPort>/services/data/lookup-table-files/{name}

Manage the {name} lookup table file.


DELETE

Delete the named lookup table file.

Request parameters

None

Returned values

None

Example request and response


XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T18:43:11-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



GET

List a single lookup table file.


Request parameters
None


Returned values

Name Description
eai:appName The app for which the lookup table applies.
eai:attributes Field control information.
eai:data The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName The Splunk user who created the lookup table.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv

XML Response

...
 <title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T18:37:25-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>lookup.csv</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
    <updated>2011-07-21T18:37:25-07:00</updated>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>eai:data</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]>        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Modify a lookup table file by replacing it with a file from the upload staging area.


Request parameters

Name Type Default Description
eai:data
required
String Move a lookup table file from the given path into $SPLUNK_HOME. This path must have the lookup staging area as an ancestor.


Returned values

Name Description
eai:appName The app for which the lookup table applies.
eai:data The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName The Splunk user who created the lookup table.

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/another-lookup-in-staging-dir.csv

XML Response

...
  <title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T18:41:52-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>lookup.csv</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
    <updated>2011-07-21T18:41:52-07:00</updated>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]>        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/props/calcfields

https://<host>:<mPort>/services/data/props/calcfields


Provides access to calculated fields, which are eval expressions in props.conf.


GET

Returns information on calculated fields for this instance of your Splunk deployment.


Request parameters

Pagination and filtering parameters can be used with this method.


Returned values

Name Description
attribute The name of the calculated field, which includes the "EVAL-" prefix.
field.name The name of the field which is being calculated with an EVAL expression.
stanza The name of the stanza in props.conf that defines the calculated field.
type The type of the calculated field.

This is always EVAL.

value The EVAL statement for the calculated field.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields

XML Response

 <title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T15:01:50-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title><access_common> : EVAL-response_time</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
    <updated>2012-10-01T15:01:50-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EVAL-response_time</s:key>
        ... eai:acl node elided ...
        <s:key name="field.name">response_time</s:key>
        <s:key name="stanza"><access_common></s:key>
        <s:key name="type">EVAL</s:key>
        <s:key name="value">response_time/1000</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Create an eval expression defining a calculated field in props.conf.

See Create a calculated field by editing props.conf in the Knowledge Manager Manual for more details.

Request parameters

Name Type Default Description
name
required
String The name of the calculated field. Do not specify the "EVAL-" prefix for the field.

When Splunk software writes the calculated field to props.conf, it adds the "EVAL-" prefix.

stanza
required
String The name of the stanza in props.conf for the calculated field.

The name can be any of the following:

  • Sourcetype of an event
  • host::<host>, where <host> is the host for an event
  • source::<source>, where <source> is the source for an event.

Note: Use URL-encoding to ensure that Splunk software interprets the name of the stanza correctly.

value
required
String The eval statement, which can be evaluated to any value type, including multivals, boolean, or null.

Note: Use URL-encoding to ensure that Splunk software interprets the name of the stanza correctly.


Returned values

Name Description
attribute The name of the calculated field, which includes the "EVAL-" prefix.
field.name The name of the field which is being calculated with an EVAL expression.
stanza The name of the stanza in props.conf that defines the calculated field.
type The type of the calculated field.

This is always EVAL.

value The EVAL statement for the calculated field.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields -d name=response_time -d stanza=%3Caccess_common%3E -d value=response_time/1000

XML Response

...
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T14:58:45-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title><access_common> : EVAL-response_time</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
    <updated>2012-10-01T14:58:45-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EVAL-response_time</s:key>
        ... eai:acl node elided ...
        <s:key name="field.name">response_time</s:key>
        <s:key name="stanza"><access_common></s:key>
        <s:key name="type">EVAL</s:key>
        <s:key name="value">response_time/1000</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/props/calcfields/{name}

https://<host>:<mPort>/services/data/props/calcfields/{name}

Manage the {name} calculated field.


DELETE

Deletes the named calculated field.

Usage details
Use URL-encoding to ensure that Splunk software interprets the name of the calculated field correctly.


Request parameters

None


Returned values

None

Example request and response


XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/services/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time

XML Response

<feed xmlns="http://www.w3.org/2005/Atom" 
      xmlns:s="http://dev.splunk.com/ns/rest" 
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T15:33:06-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>



GET

Access the named calculated field.

Request parameters

None

Returned values

Name Description
attribute The name of the calculated field, which includes the "EVAL-" prefix.
field.name The name of the field which is being calculated with an EVAL expression.
stanza The name of the stanza in props.conf that defines the calculated field.
type The type of the calculated field.

This is always EVAL.

value The EVAL statement for the calculated field.

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time

XML Response

<title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T15:05:09-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  ... opensearch nodes elided ...
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title><access_common> : EVAL-response_time</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
    <updated>2012-10-01T15:05:09-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EVAL-response_time</s:key>
	... eai:acl node elided ...
	... eai:attributes node elided ...
        <s:key name="field.name">response_time</s:key>
        <s:key name="stanza"><access_common></s:key>
        <s:key name="type">EVAL</s:key>
        <s:key name="value">response_time/1000</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Update the named calculated field.


Request parameters

Name Type Default Description
value String The eval statement, which can be evaluated to any value type, including multivals, boolean, or null.
Note: Use URL-encoding to ensure that Splunk software interprets the name of the stanza correctly.

See Create a calculated field by editing props.conf in the Knowledge Manager Manual for details.


Returned values

Name Description
attribute The name of the calculated field, which includes the "EVAL-" prefix.
field.name The name of the field which is being calculated with an EVAL expression.
stanza The name of the stanza in props.conf that defines the calculated field.
type The type of the calculated field.

This is always EVAL.

value The EVAL statement for the calculated field.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time -d value=response_time/100

XML Response

<title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T15:14:19-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title><access_common> : EVAL-response_time</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
    <updated>2012-10-01T15:14:19-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EVAL-response_time</s:key>
        ... eai:acl node elided ...
        <s:key name="field.name">response_time</s:key>
        <s:key name="stanza"><access_common></s:key>
        <s:key name="type">EVAL</s:key>
        <s:key name="value">response_time/100</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/props/extractions

https://<host>:<mPort>/services/data/props/extractions


GET

List field extractions.

Request parameters
Pagination and filtering parameters can be used with this method.


Returned values

Name Description
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field extraction applies.

for example, the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix.

type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T22:55:04-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>access_combined : REPORT-access</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access</id>
    <updated>2011-07-10T22:55:04-07:00</updated>
    <link href="/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access" rel="list"/>
    <link href="/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">REPORT-access</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">access_combined</s:key>
        <s:key name="type">Uses transform</s:key>
        <s:key name="value">access-extractions</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Create a new field extraction.

Request parameters

Name Type Default Description
name
required
String The user-specified part of the field extraction name. The full name of the field extraction includes this identifier as a suffix.
stanza
required
String The props.conf stanza to which this field extraction applies, e.g. the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix.
type
required
Enum Valid values: (REPORT | EXTRACT)

An EXTRACT-type field extraction is defined with an "inline" regular expression. A REPORT-type field extraction refers to a transforms.conf stanza.

value
required
String If this is an EXTRACT-type field extraction, specify a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, specify a comma- or space-delimited list of transforms.conf stanza names that define the field transformations to apply.


Returned values

Name Description
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza Specifies the name of the stanza for the field extraction.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=port -d stanza=ftp_log -d type=EXTRACT -d "value=port (?<port_number>\d+)"

XML Response

...
 <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T22:56:17-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>ftp_log : EXTRACT-port</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port</id>
    <updated>2011-07-10T22:56:17-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EXTRACT-port</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">ftp_log</s:key>
        <s:key name="type">Inline</s:key>
        <s:key name="value">port (?<port_number>\d )</s:key>
      </s:dict>
    </content>
  </entry>



data/props/extractions/{name}

https://<host>:<mPort>/services/data/props/extractions/{name}


Manage the {name} field extraction.

DELETE

Delete the named field extraction.

Request parameters
None


Returned values
None


Example request and response


XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T23:05:42-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



GET

List a single field extraction.


Request parameters
None


Returned values

Name Description
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field extraction applies.

for example, the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix.

type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T23:02:31-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>ftp_log : EXTRACT-port</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port</id>
    <updated>2011-07-10T23:02:31-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EXTRACT-port</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>value</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="stanza">ftp_log</s:key>
        <s:key name="type">Inline</s:key>
        <s:key name="value">connection on port (?<port_number>\d )</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Modify the named field extraction.


Request parameters

Name Type Default Description
value
required
String If this is an EXTRACT-type field extraction, specify a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, specify a comma- or space-delimited list of transforms.conf stanza names that define the field transformations to apply.


Returned values

Name Description
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza Specifies the name of the stanza for the field extraction.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port -d "value=connection on port (?<port_number>\d+)"

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T23:05:05-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>ftp_log : EXTRACT-port</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port</id>
    <updated>2011-07-10T23:05:05-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EXTRACT-port</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">ftp_log</s:key>
        <s:key name="type">Inline</s:key>
        <s:key name="value">connection on port (?<port_number>\d )</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/props/fieldaliases

https://<host>:<mPort>/services/data/props/fieldaliases

Access or create field aliases.


GET

List field aliases.

Example


Request parameters
Pagination and filtering parameters can be used with this method.


Returned values

Name Description
alias.* The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:31:41-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_sourcetype : FIELDALIAS-alias_name</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
    <updated>2011-07-21T19:31:41-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="alias.foo">bar</s:key>
        <s:key name="attribute">FIELDALIAS-alias_name</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="type">FIELDALIAS</s:key>
        <s:key name="value">foo AS bar</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Create a new field alias.


Name Type Default Description
alias.* String The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar".
name
required
String The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
stanza
required
String The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.


Returned values

Name Description
alias.* The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases -d name=alias_name -d stanza=my_sourcetype -d alias.foo=bar

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:30:17-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_sourcetype : FIELDALIAS-alias_name</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
    <updated>2011-07-21T19:30:17-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="alias.foo">bar</s:key>
        <s:key name="attribute">FIELDALIAS-alias_name</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="type">FIELDALIAS</s:key>
        <s:key name="value">foo AS bar</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/props/fieldaliases/{name}

https://<host>:<mPort>/services/data/props/fieldaliases/{name}

Manage the {name} field alias.


DELETE

Delete the named field alias.


Request parameters
None


Returned values
None


Example request and response


XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:37:45-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



GET

Access a field alias.


Request parameters
None


Returned values

Name Description
alias.* The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:33:00-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_sourcetype : FIELDALIAS-alias_name</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
    <updated>2011-07-21T19:33:00-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="alias.foo">bar</s:key>
        <s:key name="attribute">FIELDALIAS-alias_name</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list>
                <s:item>alias\..*</s:item>
              </s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="type">FIELDALIAS</s:key>
        <s:key name="value">foo AS bar</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Update a field alias.


Request parameters

Name Type Default Description
alias.* String The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar".


Returned values

Name Description
alias.* The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar".
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name -d alias.hi=hello -d alias.bye=goodbye

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:34:36-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_sourcetype : FIELDALIAS-alias_name</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
    <updated>2011-07-21T19:34:36-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="alias.bye">goodbye</s:key>
        <s:key name="alias.hi">hello</s:key>
        <s:key name="attribute">FIELDALIAS-alias_name</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="type">FIELDALIAS</s:key>
        <s:key name="value">bye AS goodbye hi AS hello</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/props/lookups

https://<host>:<mPort>/services/data/props/lookups

Access or create automatic lookups.


GET

List automatic lookups.


Request parameters
Pagination and filtering parameters can be used with this method.


Returned values

Name Description
attribute Specifies the field extraction configuration.

For example, LOOKUP-my_lookup.

overwrite If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

transform The transforms.conf stanza that defines the lookup to apply.
type Specifies the field extraction type.

For this endpoint, this is always LOOKUP

value The transform stanza with the value for the lookup.

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:43:53-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_sourcetype : LOOKUP-my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
    <updated>2011-08-01T20:43:53-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">LOOKUP-my_lookup</s:key>
        ... eai:acl node elided ...
        <s:key name="lookup.field.input.foo"/>
        <s:key name="lookup.field.output.fuzz"/>
        <s:key name="overwrite">1</s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="transform">my_transform</s:key>
        <s:key name="type">LOOKUP</s:key>
        <s:key name="value">my_transform foo OUTPUT fuzz</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Create an automatic lookup.


Request parameters

Name Type Default Description
lookup.field.input.* String A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events.
lookup.field.output.* String A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events.
name
required
String The user-specified part of the automatic lookup name. The full name of the automatic lookup includes this identifier as a suffix.
overwrite
required
Boolean If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza
required
String The props.conf stanza to which this automatic lookup applies, e.g. the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.
transform
required
String The transforms.conf stanza that defines the lookup to apply.


Returned values

Name Description
attribute Specifies the field extraction configuration.

For example, LOOKUP-my_lookup.

lookup.field.input.* A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events.
lookup.field.output.* A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events.
overwrite If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

transform The transforms.conf stanza that defines the lookup to apply.
type Specifies the field extraction type.

For this endpoint, this is alwqys LOOKUP.

value The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups -d name=my_lookup -d overwrite=1 -d stanza=my_sourcetype -d transform=my_transform -d lookup.field.input.foo= -d lookup.field.output.fuzz=

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:43:31-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_sourcetype : LOOKUP-my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
    <updated>2011-08-01T20:43:31-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">LOOKUP-my_lookup</s:key>
        ... eai:acl node elided ...
        <s:key name="lookup.field.input.foo"/>
        <s:key name="lookup.field.output.fuzz"/>
        <s:key name="overwrite">1</s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="transform">my_transform</s:key>
        <s:key name="type">LOOKUP</s:key>
        <s:key name="value">my_transform foo OUTPUT fuzz</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/props/lookups/{name}

https://<host>:<mPort>/services/data/props/lookups/{name}


Manage the {name} automatic lookup.


DELETE

Delete an automatic lookup.


Request parameters
None


Returned values
None


Example request and response


XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:44:32-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



GET

Access an automatic lookup.


Request parameters

None

Returned values

Name Description
attribute Specifies the field extraction configuration.

For example, LOOKUP-my_lookup.

overwrite If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

transform The transforms.conf stanza that defines the lookup to apply.
type Specifies the field extraction type.

For this endpoint, this is always LOOKUP.

value The transform stanza with the value for the lookup.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:44:06-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_sourcetype : LOOKUP-my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
    <updated>2011-08-01T20:44:06-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">LOOKUP-my_lookup</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>overwrite</s:item>
                <s:item>transform</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list>
                <s:item>lookup\.field\.input\..*</s:item>
                <s:item>lookup\.field\.output\..*</s:item>
              </s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="lookup.field.input.foo"/>
        <s:key name="lookup.field.output.fuzz"/>
        <s:key name="overwrite">1</s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="transform">my_transform</s:key>
        <s:key name="type">LOOKUP</s:key>
        <s:key name="value">my_transform foo OUTPUT fuzz</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Update an automatic lookup.


Request parameters

Name Type Default Description
lookup.field.input.* String A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events.
lookup.field.output.* String A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events.
overwrite
required
Boolean If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
transform
required
String The transforms.conf stanza that defines the lookup to apply.


Returned values

Name Description
attribute Specifies the field extraction configuration.

For example, LOOKUP-my_lookup.

lookup.field.input.* A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events.
lookup.field.output.* A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events.
overwrite If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

transform The transforms.conf stanza that defines the lookup to apply.
type Specifies the field extraction type.

For this endpoint, this is alwqys LOOKUP.

value The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup -d overwrite=1 -d transform=other_transform -d lookup.field.input.bar= -d lookup.field.output.buzz=

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:44:21-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_sourcetype : LOOKUP-my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
    <updated>2011-08-01T20:44:21-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">LOOKUP-my_lookup</s:key>
        ... eai:acl node elided ...
        <s:key name="lookup.field.input.bar"/>
        <s:key name="lookup.field.output.buzz"/>
        <s:key name="overwrite">1</s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="transform">other_transform</s:key>
        <s:key name="type">LOOKUP</s:key>
        <s:key name="value">other_transform bar OUTPUT buzz</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/props/sourcetype-rename

https://<host>:<mPort>/services/data/props/sourcetype-rename

Access or rename props.conf sourcetypes.


GET

List renamed sourcetypes.


Request parameters
Pagination and filtering parameters can be used with this method.


Returned values

Name Description
attribute The configuration key.
stanza The sourcetype to rename, which is the name of a stanza in props.conf.
type The value of the configuration key.
value The new name for the sourcetype.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:40:53-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>hardware</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
    <updated>2011-07-12T15:40:53-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">rename</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">hardware</s:key>
        <s:key name="type">rename</s:key>
        <s:key name="value">hw</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Rename a sourcetype.


Request parameters

Name Type Default Description
name
required
String The original sourcetype name.
value
required
String The new sourcetype name.


Returned values

Name Description
attribute The configuration key.
stanza The sourcetype to rename, which is the name of a stanza in props.conf.
type The value of the configuration key.
value The new name for the sourcetype.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename -d name=hardware -d value=hw

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:39:57-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>hardware</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
    <updated>2011-07-12T15:39:57-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">rename</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">hardware</s:key>
        <s:key name="type">rename</s:key>
        <s:key name="value">hw</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/props/sourcetype-rename/{name}

https://<host>:<mPort>/services/data/props/sourcetype-rename/{name}

Access, delete, or update a sourcetype name.


DELETE

Restore the original sourcetype name for {name}.

Request parameters

None

Returned values

None


Example request and response


XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:49:16-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



GET

Access a specific renamed sourcetype.


Request parameters

None


Returned values

Name Description
attribute The configuration key.
stanza The sourcetype to rename, which is the name of a stanza in props.conf.
type The value of the configuration key.
value The new name for the sourcetype.

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:44:47-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>hardware</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
    <updated>2011-07-12T15:44:47-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">rename</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>value</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="stanza">hardware</s:key>
        <s:key name="type">rename</s:key>
        <s:key name="value">hw</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Update a renamed sourcetype name.


Request parameters

Name Type Default Description
value
required
String The new sourcetype name.


Returned values

Name Description
attribute The configuration key.
stanza The sourcetype to rename, which is the name of a stanza in props.conf.
type The value of the configuration key.
value The new name for the sourcetype.

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware -d value=hrdwr

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:46:58-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>hardware</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
    <updated>2011-07-12T15:46:58-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">rename</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">hardware</s:key>
        <s:key name="type">rename</s:key>
        <s:key name="value">hrdwr</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/transforms/extractions

https://<host>:<mPort>/services/data/transforms/extractions

Access field extraction definitions.


GET

List field extractions.


Request parameters
Pagination and filtering parameters can be used with this method.

Returned values

Name Description
CAN_OPTIMIZE Controls whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk software writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk software stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation.

KEEP_EMPTY_VALS If set to true, Splunk software preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk software applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if the field transformation is disabled.
eai:appName The Splunk app for which the field extractions are defined. For example, the search app.
eai:userName The name of the Splunk user who created the field extraction definitions. For example, the admin user.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:28:03-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>access-extractions</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/transforms/extractions/access-extractions</id>
    <updated>2011-07-21T20:28:03-07:00</updated>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions" rel="list"/>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX">
<![CDATA[^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++[[nspaces:user]]\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?<referer>[[bc_domain:referer_]]?+[^"]*+)"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]]]>        </s:key>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


POST

Create a new field transformation.


Request parameters

Name Type Default Description
CAN_OPTIMIZE Bool True Controls whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are *always* discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is needed for the successful evaluation of a search.

NOTE: This option should rarely be set to false.

CLEAN_KEYS Boolean True If set to true, Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
disabled Boolean Specifies whether the field transformation is disabled.
FORMAT String This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

FORMAT for index-time extractions:

Use $n (for example $1, $2, etc) to specify the output of each REGEX match.

If REGEX does not have n groups, the matching fails.

The special identifier $0 represents what was in the DEST_KEY before the REGEX was performed.

At index-time only, you can use FORMAT to create concatenated fields: FORMAT = ipaddress::$1.$2.$3.$4

When you create concatenated fields with FORMAT, "$" is the only special character. It is treated as a prefix for regex-capturing groups only if it is followed by a number and only if the number applies to an existing capturing group. So if REGEX has only one capturing group and its value is "bar", then: \t"FORMAT = foo$1" yields "foobar" \t"FORMAT = foo$bar" yields "foo$bar" \t"FORMAT = foo$1234" yields "foo$1234" \t"FORMAT = foo$1\\$2" yields "foobar\\$2"

At index-time, FORMAT defaults to <stanza-name>::$1

FORMAT for search-time extractions:

The format of this field as used during search time extractions is as follows: \tFORMAT = <field-name>::<field-value>( <field-name>::<field-value>)* \tfield-name = [<string>|$<extracting-group-number>] \tfield-value = [<string>|$<extracting-group-number>]

Search-time extraction examples: \tFORMAT = first::$1 second::$2 third::other-value \tFORMAT = $1::$2

You cannot create concatenated fields with FORMAT at search time. That functionality is only available at index time.

At search-time, FORMAT defaults to an empty string.

KEEP_EMPTY_VALS Boolean False If set to true, Splunk software preserves extracted fields with empty values.
MV_ADD Boolean False If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
name
required
String The name of the field transformation.
REGEX
required
String Specify a regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: \tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \tREGEX is required for all index-time transforms.

REGEX and the FORMAT attribute:

Name-capturing groups in the REGEX are extracted directly to fields. This means that you do not need to specify the FORMAT attribute for simple field extraction cases.

If the REGEX extracts both the field name and its corresponding field value, you can use the following special capturing groups if you want to skip specifying the mapping in FORMAT: _KEY_<string>, _VAL_<string>.

For example, the following are equivalent: \tUsing FORMAT: \t\tREGEX = ([a-z]+)=([a-z]+) \t\tFORMAT = $1::$2 \tWithout using FORMAT \t\tREGEX = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+)

REGEX defaults to an empty string.

SOURCE_KEY
required
String _raw Specify the KEY to which Splunk software applies REGEX.


Returned values

Name Description
CAN_OPTIMIZE Controls whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk software writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk software stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation.

KEEP_EMPTY_VALS If set to true, Splunk software preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: \\tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \\tREGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk software applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if the field transformation is disabled.
eai:appName The Splunk app for which the field extractions are defined. For example, the search app.
eai:userName The name of the Splunk user who created the field extraction definitions. For example, the admin user.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions -d REGEX="(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)" -d SOURCE_KEY=_raw -d name=my_transform

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:25:20-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_transform</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform</id>
    <updated>2011-07-21T20:25:20-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX">(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)</s:key>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/transforms/extractions/{name}

https://<host>:<mPort>/services/data/transforms/extractions/{name}

Access, delete, or update the {name} field extraction.

DELETE

Delete a field extraction.


Request parameters

None


Returned values

None


Example request and response


XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:34:30-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



GET

Access a specific field extraction.


Request parameters
None

Returned values

Name Description
CAN_OPTIMIZE Controls whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk software writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk software stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation.

KEEP_EMPTY_VALS If set to true, Splunk software preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk software applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if the field transformation is disabled.
eai:appName The Splunk app for which the field extractions are defined. For example, the search app.
eai:attributes Field control information.
eai:userName The name of the Splunk user who created the field extraction definitions. For example, the admin user.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:29:00-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_transform</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform</id>
    <updated>2011-07-21T20:29:00-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX">(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)</s:key>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>CAN_OPTIMIZE</s:item>
                <s:item>CLEAN_KEYS</s:item>
                <s:item>FORMAT</s:item>
                <s:item>KEEP_EMPTY_VALS</s:item>
                <s:item>MV_ADD</s:item>
                <s:item>disabled</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>REGEX</s:item>
                <s:item>SOURCE_KEY</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Update a field extraction.


Request parameters

Name Type Default Description
REGEX String Specify a regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: \tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \tREGEX is required for all index-time transforms.

REGEX and the FORMAT attribute:

Name-capturing groups in the REGEX are extracted directly to fields. This means that you do not need to specify the FORMAT attribute for simple field extraction cases.

If the REGEX extracts both the field name and its corresponding field value, you can use the following special capturing groups if you want to skip specifying the mapping in FORMAT: _KEY_<string>, _VAL_<string>.

For example, the following are equivalent: \tUsing FORMAT: \t\tREGEX = ([a-z]+)=([a-z]+) \t\tFORMAT = $1::$2 \tWithout using FORMAT \t\tREGEX = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+)

REGEX defaults to an empty string.

SOURCE_KEY String _raw Specify the KEY to which Splunk software applies REGEX.
CAN_OPTIMIZE Bool True Controls whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are *always* discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is needed for the successful evaluation of a search.

NOTE: This option should rarely be set to false.

CLEAN_KEYS Boolean True If set to true, Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
FORMAT String This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

FORMAT for index-time extractions:

Use $n (for example $1, $2, etc) to specify the output of each REGEX match.

If REGEX does not have n groups, the matching fails.

The special identifier $0 represents what was in the DEST_KEY before the REGEX was performed.

At index-time only, you can use FORMAT to create concatenated fields: FORMAT = ipaddress::$1.$2.$3.$4

When you create concatenated fields with FORMAT, "$" is the only special character. It is treated as a prefix for regex-capturing groups only if it is followed by a number and only if the number applies to an existing capturing group. So if REGEX has only one capturing group and its value is "bar", then: \t"FORMAT = foo$1" yields "foobar" \t"FORMAT = foo$bar" yields "foo$bar" \t"FORMAT = foo$1234" yields "foo$1234" \t"FORMAT = foo$1\\$2" yields "foobar\\$2"

At index-time, FORMAT defaults to <stanza-name>::$1

FORMAT for search-time extractions:

The format of this field as used during search time extractions is as follows: \tFORMAT = <field-name>::<field-value>( <field-name>::<field-value>)* \tfield-name = [<string>|$<extracting-group-number>] \tfield-value = [<string>|$<extracting-group-number>]

Search-time extraction examples: \tFORMAT = first::$1 second::$2 third::other-value \tFORMAT = $1::$2

You cannot create concatenated fields with FORMAT at search time. That functionality is only available at index time.

At search-time, FORMAT defaults to an empty string.

KEEP_EMPTY_VALS Boolean False If set to true, Splunk software preserves extracted fields with empty values.
MV_ADD Boolean False If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
disabled Boolean Specifies whether the field transformation is disabled.


Returned values

Name Description
CAN_OPTIMIZE Controls whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk software writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk software stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation.

KEEP_EMPTY_VALS If set to true, Splunk software preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: \\tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \\tREGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk software applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if the field transformation is disabled.
eai:appName The Splunk app for which the field extractions are defined. For example, the search app.
eai:userName The name of the Splunk user who created the field extraction definitions. For example, the admin user.

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform -d REGEX="(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)" -d SOURCE_KEY=_raw -d CLEAN_KEYS=false

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:33:13-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_transform</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform</id>
    <updated>2011-07-21T20:33:13-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">0</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX">(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)</s:key>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/transforms/lookups

https://<host>:<mPort>/services/data/transforms/lookups

Access or create lookup definitions.


GET

List lookup definitions.


Request parameters
Pagination and filtering parameters can be used with this method.

Name Datatype Default Description
replicate_delta Boolean false Enable to replicate only the changes to a CSV lookup table rather than replicating the entire lookup table.

Returned values

Name Description
CAN_OPTIMIZE Controls whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk software writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk software stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.

KEEP_EMPTY_VALS If set to true, Splunk software preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk software applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if this lookup is disabled.
eai:appName The Splunk app for which the lookups are defined. For example, the search app.
eai:userName The Splunk user for which the lookups are defined.
external_cmd Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

fields_list List of all fields that are supported by the external command.
replicate_delta Indicates that only the changes to a CSV lookup table are replicated, rather than the entire lookup table.
type Specifies the field extraction type.

Can be either external or file.

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-08-01T21:10:44-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>dnslookup</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/transforms/lookups/dnslookup</id>
    <updated>2011-08-01T21:10:44-07:00</updated>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup" rel="list"/>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX"/>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="external_cmd">external_lookup.py clienthost clientip</s:key>
        <s:key name="fields_list">clienthost clientip</s:key>
        <s:key name="type">external</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


POST

Update a lookup definition.

Request parameters

Name Type Default Description
collection String <empty> Name of the collection to use for this lookup. The collection should be defined in $SPLUNK_HOME/etc/<app_name>/collections.conf for the current app.

To create a KV Store lookup, use collection to pass in the KV Store collection name and include the external_type parameter with a value of kvstore in your POST request.
name String The name of the lookup definition.
default_match String If min_matches is greater than zero and Splunk software has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled Boolean Specifies whether the lookup definition is disabled.
external_cmd String Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

external_type One of the following values:
  • python
  • executable
  • geo
  • kvstore
python Type of external command for performing a lookup.

To define a KV Store lookup, use

external_type = kvstore. Include the KV Store collection name in your POST request.

fields_list String A comma- and space-delimited list of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename String The name of the static lookup table file.
max_matches Number The maximum number of possible matches for each input lookup value.
max_offset_secs Number For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches Number The minimum number of possible matches for each input lookup value.
min_offset_secs Number For temporal lookups, this is the minimum time (in seconds) that the event timestamp can be later than the lookup entry timestamp for a match to occur.
replicate_delta Boolean false Enable to replicate only the changes to a CSV lookup table rather than replicating the entire lookup table.
time_field String For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format String For temporal lookups, this specifies the "strptime" format of the timestamp field.


Returned values

Name Description
CAN_OPTIMIZE Controls whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk software writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk software stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.

KEEP_EMPTY_VALS If set to true, Splunk software preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk software applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

default_match If min_matches is greater than zero and Splunk software has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled Specifies whether the lookup definition is disabled.
eai:appName The Splunk app for which the lookups are defined. For example, the search app.
eai:userName The Splunk user for which the lookups are defined.
external_cmd Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

fields_list List of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename The name of the static lookup table file.
max_matches The maximum number of possible matches for each input lookup value.

If the lookup is non-temporal (not time-bounded, meaning the time_field attribute is not specified), Splunk software uses the first <integer> entries, in file order.

If the lookup is temporal, Splunk software uses the first <integer> entries in descending time order.

Default = 100 if the lookup is not temporal, default = 1 if it is temporal.

max_offset_secs For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches The minimum number of possible matches for each input lookup value.
min_offset_secs For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
time_field For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format For temporal lookups, this specifies the \\"strptime\\" format of the timestamp field.
type Specifies the field extraction type.

Can be either external or file.

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups -d name=my_lookup -d filename=lookup.csv

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-08-01T21:10:33-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup</id>
    <updated>2011-08-01T21:10:33-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX"/>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="filename">lookup.csv</s:key>
        <s:key name="type">file</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/transforms/lookups/{name}

https://<host>:<mPort>/services/data/transforms/lookups/{name}

Manage the {name} lookup definition.


DELETE

Delete a specific lookup definition.


Request parameters
None


Returned values
None

Example request and response


XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-07-21T20:03:24-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



GET

Access a specific lookup definition.

Request parameters

Name Datatype Default Description
replicate_delta Boolean false Enable to replicate only the changes to a CSV lookup table rather than replicating the entire lookup table.


Returned values

Name Description
CAN_OPTIMIZE Indicates whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS Indicates whether Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk software writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk software stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.

KEEP_EMPTY_VALS Indicates whether Splunk software preserves extracted fields with empty values.
LOOKAHEAD For index-time filed extractions. Specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD "If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk software applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if this lookup is disabled.
eai:appName The Splunk software app for which the lookups are defined. For example, the search app.
eai:attributes Field control information.
eai:userName The Splunk user for which the lookups are defined.
filename The name of the static lookup table file.
replicate_delta Indicates that only the changes to a CSV lookup table are replicated, rather than the entire lookup table.
type Specifies the field extraction type.

Can be either external or file.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-08-01T21:11:01-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup</id>
    <updated>2011-08-01T21:11:01-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX"/>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>default_match</s:item>
                <s:item>disabled</s:item>
                <s:item>external_cmd</s:item>
                <s:item>fields_list</s:item>
                <s:item>filename</s:item>
                <s:item>max_matches</s:item>
                <s:item>max_offset_secs</s:item>
                <s:item>min_matches</s:item>
                <s:item>min_offset_secs</s:item>
                <s:item>replicate_delta</s:item>
                <s:item>time_field</s:item>
                <s:item>time_format</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="filename">lookup.csv</s:key>
        <s:key name="replicate_delta">1</s:key>
        <s:key name="type">file</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Update a lookup definition.


Request parameters

Name Type Default Description
collection String <empty> Name of the collection to use for this lookup. The collection should be defined in $SPLUNK_HOME/etc/<app_name>/collections.conf for the current app.

To create a KV Store lookup, use collection to pass in the KV Store collection name and include the external_type parameter with a value of kvstore in your POST request.
default_match String If min_matches is greater than zero and Splunk software has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled Boolean Specifies whether the lookup definition is disabled.
external_cmd String Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

external_type One of the following values:
  • python
  • executable
  • geo
  • kvstore
python Type of external command for performing a lookup.

To define a KV Store lookup, use

external_type = kvstore. Include the KV Store collection name in your POST request.

fields_list String A comma- and space-delimited list of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename String The name of the static lookup table file.
max_matches Number The maximum number of possible matches for each input lookup value.
max_offset_secs Number For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches Number The minimum number of possible matches for each input lookup value.
min_offset_secs Number For temporal lookups, this is the minimum time (in seconds) that the event timestamp can be later than the lookup entry timestamp for a match to occur.
replicate_delta Boolean false Enable to replicate only the changes to a CSV lookup table rather than replicating the entire lookup table.
time_field String For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format String For temporal lookups, this specifies the "strptime" format of the timestamp field.


Returned values

Name Description
CAN_OPTIMIZE Controls whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk software writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk software stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.

KEEP_EMPTY_VALS If set to true, Splunk software preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk software applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

default_match If min_matches is greater than zero and Splunk software has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled Specifies whether the lookup definition is disabled.
eai:appName The Splunk app for which the lookups are defined. For example, the search app.
eai:userName The Splunk user for which the lookups are defined.
external_cmd Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

fields_list List of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename The name of the static lookup table file.
max_matches The maximum number of possible matches for each input lookup value.
max_offset_secs For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches The minimum number of possible matches for each input lookup value.
min_offset_secs For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
time_field For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format For temporal lookups, this specifies the "strptime" format of the timestamp field.
type Specifies the field extraction type.

Can be either external or file.

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup -d external_cmd=myscript.py -d fields_list=a,b,c

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-07-21T20:00:07-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup</id>
    <updated>2011-07-21T20:00:07-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX"/>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="external_cmd">myscript.py</s:key>
        <s:key name="fields_list">a,b,c</s:key>
        <s:key name="replicate_delta">1</s:key>
        <s:key name="type">external</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/transforms/metric-schema

https://<host>:<mPort>/services/data/transforms/metric-schema

Use this endpoint to configure ingest-time log-to-metrics transformations. Identify measurements and blacklist dimensions. Design transformations that target specific event schemas within a log.

Authentication and Authorization
Use of this endpoint is restricted to roles that have the edit_metric_schema capability.

Usage Details
For more information about carrying out ingest-time log-to-metrics transformations using this endpoint, see Convert event logs to metric data points in Metrics.

GET

List existing log-to-metrics configurations.

Request parameters
None.

Returned parameters
None

Example request and response

XML Request

curl -k -u admin:ch@ngeme -X GET https://localhost:8089/services/data/transforms/metric-schema/splunk_metrics

XML Response

<title>metric-schema</title>
<id>https://localhost:8089/services/data/transforms/metric-schema</id>
<updated>2018-07-31T17:00:21-07:00</updated>
<generator build="06d0f1f682cc" version="7.1.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/transforms/metric-schema/_new" rel="create"/>
<link href="/services/data/transforms/metric-schema/_reload" rel="_reload"/>
<link href="/services/data/transforms/metric-schema/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>metric-schema:splunk_metrics</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics" rel="list"/>
<link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics" rel="edit"/>
<link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics" rel="remove"/>
<link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics/move" rel="move"/>
<link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="METRIC-SCHEMA-BLACKLIST-DIMS-queue">location,corp</s:key>
<s:key name="METRIC-SCHEMA-MEASURES-queue">max_size_kb,current_size_kb,current_size,largest_size,smallest_size</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>blacklist_dimensions</s:item>
<s:item>field_names</s:item>
<s:item>metric_name_prefix</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
</feed>

POST

Configures ingest-time conversion of log events to metric data points.

Request parameters

Name Type Description
name
required
String Required. Name of the metric-schema stanza in transforms.conf.
field_name
required
String Comma-separated list of measure fields to be extracted from a log line.
blacklist_dimension
optional
String Comma-separated list of dimension fields to be omitted when log events are converted to metric data points.
metric_name_prefix
optional
String Used when the events in a log have more than one schema, meaning that they have differing sets of measure fields and blacklist dimension fields. Takes the value of a field that is shared by all events in the log, and whose values correspond to the different event schemas.

Returned parameters

Name Type Description
METRIC-SCHEMA-MEASURES-<metric_name_prefix> String Comma-separated list of measure fields to be extracted from a log line.
METRIC-SCHEMA-BLACKLIST-DIMS-<metric_name_prefix> String Comma-separated list of dimension fields to be omitted when log events are converted to metric data points.

Example request and response

XML Request

curl -k -u admin:ch@ngeme -X POST https://localhost:8089/services/data/transforms/metric-schema -d "name=splunk_metrics" -d "metric_name_prefix=queue" -d "field_names=max_size_kb,current_size_kb,current_size,largest_size,smallest_size" -d "blacklist_dimensions=location,corp"

XML Response

...
<title>metric-schema</title>
<id>https://localhost:8089/services/data/transforms/metric-schema</id>
<updated>2018-07-31T16:33:54-07:00</updated>
<generator build="06d0f1f682cc" version="7.1.0"/>
<author>
 <name>Splunk</name>
</author>
<link href="/services/data/transforms/metric-schema/_new" rel="create"/>
<link href="/services/data/transforms/metric-schema/_reload" rel="_reload"/>
<link href="/services/data/transforms/metric-schema/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>metric-schema:splunk_metrics</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics" rel="alternate"/>
<author>
  <name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics" rel="list"/>
<link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics" rel="edit"/>
<link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics" rel="remove"/>
<link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics/move" rel="move"/>
<link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics/disable" rel="disable"/>
<content type="text/xml">
 <s:dict>
 <s:key name="METRIC-SCHEMA-BLACKLIST-DIMS-queue">location,corp</s:key>
 <s:key name="METRIC-SCHEMA-MEASURES-queue">max_size_kb,current_size_kb,current_size,largest_size,smallest_size</s:key>
 <s:key name="disabled">0</s:key>
 <s:key name="eai:acl">
 <s:dict>
 <s:key name="app">search</s:key>
 <s:key name="can_change_perms">1</s:key>
 <s:key name="can_list">1</s:key>
 <s:key name="can_share_app">1</s:key>
 <s:key name="can_share_global">1</s:key>
 <s:key name="can_share_user">0</s:key>
 <s:key name="can_write">1</s:key>
 <s:key name="modifiable">1</s:key>
 <s:key name="owner">nobody</s:key>
  <s:key name="perms">
  <s:dict>
   <s:key name="read">
    <s:list>
      <s:item>*</s:item>
    </s:list>
   </s:key>
   <s:key name="write">
    <s:list>
     <s:item>*</s:item>
    </s:list>
   </s:key>
  </s:dict>
 </s:key>
 <s:key name="removable">1</s:key>
 <s:key name="sharing">app</s:key>
 </s:dict>
 </s:key>
 </s:dict>
</content>
</entry>
</feed>

DELETE

Delete existing log-to-metrics configurations.

Request parameters
None.

Returned parameters
None

Example request and response

XML Request

curl -k -u admin:ch@ngeme -X DELETE https://localhost:8089/services/data/transforms/metric-schema/splunk_metrics

XML Response

<title>metric-schema</title>
<id>https://localhost:8089/services/data/transforms/metric-schema</id>
<updated>2018-07-31T16:56:36-07:00</updated>
<generator build="06d0f1f682cc" version="7.1.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/transforms/metric-schema/_new" rel="create"/>
<link href="/services/data/transforms/metric-schema/_reload" rel="_reload"/>
<link href="/services/data/transforms/metric-schema/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>

data/transforms/statsdextractions

https://<host>:<mPort>/services/data/transforms/statsdextractions

Use this endpoint to configure dimension extraction from StatsD metrics.

Authentication and Authorization
Use of this endpoint is restricted to roles that have the edit_statsd_transforms capability.

Usage Details
For more information about StatsD dimension extraction using this endpoint, see Get metrics in with StatsD in Metrics.

POST

Configures dimension extraction from StatsD metrics.

Request parameters

Name Type Description
unique_transforms_stanza_name String A unique name for this stanza.
REGEX = <regular expression> String A regular expression that defines how to match and extract dimensions from StatsD metrics data. Splunk supports a named capturing-group extraction format (?<diml>group)(?dim2>group) ... to provide dimension names for the corresponding values that are extracted.
REMOVE_DIMS_FROM_METRIC_NAME= <Boolean> Boolean Specifies whether unmatched segments of the StatsD dotted name segment are used as the metric_name.

When true, dimension values are be removed from the measurement and the unmatched portion becomes the metric_name. The default value is true.

When false, extracted dimension values are included in the metric_name.

For example, a metric measurement name is "x.y.z". The regular expression matches "y" and "z". When REMOVE_DIMS_FROM_METRIC_NAME is true, metric_name is "x". When false, metric_name is "x.y.z".

Example request and response

Request

curl -k -u admin:pass https://localhost:8089/services/data/transforms/statsdextractions \-d "name=statsd-ex&REGEX=\.(?<hostname>\S%2B?)\.(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})&REMOVE_DIMS_FROM_METRIC_NAME=true"

Response

...
  <title>transforms-statsd</title>
  <id>https://<localhost>:<mport>/services/data/transforms/statsdextractions</id>
  <updated>2017-08-08T23:53:45+00:00</updated>
  <generator build="eb729684699b" version="7.0.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/transforms/statsdextractions/_new" rel="create"/>
  <link href="/services/data/transforms/statsdextractions/_reload" rel="_reload"/>
  <link href="/services/data/transforms/statsdextractions/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>statsd-dims:statsd-ex</title>
    <id>https://epic-metriks-splk.sv.splunk.com:8089/servicesNS/nobody/search/data/transforms/statsdextractions/statsd-dims%3Astatsd-ex</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/servicesNS/nobody/search/data/transforms/statsdextractions/statsd-dims%3Astatsd-ex" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/transforms/statsdextractions/statsd-dims%3Astatsd-ex" rel="list"/>
    <link href="/servicesNS/nobody/search/data/transforms/statsdextractions/statsd-dims%3Astatsd-ex/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/transforms/statsdextractions/statsd-dims%3Astatsd-ex" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/transforms/statsdextractions/statsd-dims%3Astatsd-ex" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/transforms/statsdextractions/statsd-dims%3Astatsd-ex/move" rel="move"/>
    <link href="/servicesNS/nobody/search/data/transforms/statsdextractions/statsd-dims%3Astatsd-ex/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="REGEX">\.(?<hostname>\S+?)\.(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})</s:key>
        <s:key name="REMOVE_DIMS_FROM_METRIC_NAME">1</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">0</s:key>
            <s:key name="can_list">0</s:key>
            <s:key name="can_share_app">0</s:key>
            <s:key name="can_share_global">0</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/ui/panels

https://<host>:<mPort>/servicesNS/{user}/{app_name}/data/ui/panels

View, add, or edit dashboard panels.

GET

Access all the XML definitions for existing panels.


Request parameters
None.

Returned values

Name Description
eai:appName App context for the panel.
eai:data XML definition for the panel.
eai:userName User who created the panel.
label Panel label.
panel.title Panel title.
rootNode XML root node.


Example request and response


XML Request

curl --get -k -u username:password 
https://localhost:8089/servicesNS/admin/search/data/ui/panels

XML Response

<title>panels</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/ui/panels</id>
  <updated>2018-12-17T12:03:14-08:00</updated>
  <generator build="8f0ead9ec3db" version="7.1.1"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/ui/panels/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/ui/panels/_reload" rel="_reload"/>
  <link href="/servicesNS/admin/search/data/ui/panels/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>new_panel</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/ui/panels/new_panel</id>
    <updated>2018-12-17T12:02:57-08:00</updated>
    <link href="/servicesNS/admin/search/data/ui/panels/new_panel" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/ui/panels/new_panel" rel="list"/>
    <link href="/servicesNS/admin/search/data/ui/panels/new_panel/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/ui/panels/new_panel" rel="edit"/>
    <link href="/servicesNS/admin/search/data/ui/panels/new_panel" rel="remove"/>
    <link href="/servicesNS/admin/search/data/ui/panels/new_panel/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">admin</s:key>
            <s:key name="perms"/>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">user</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:data"><![CDATA[<panel><label>the_new_label</label></panel>]]></s:key>
        <s:key name="eai:digest">1c70628bb4aeec0470707e59e1b2d321</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="label">the_new_label</s:key>
        <s:key name="panel.title">new_panel</s:key>
        <s:key name="rootNode">panel</s:key>
      </s:dict>
    </content>
  </entry>


POST

Create a new dashboard panel source XML definition.


Request parameters

Name Type Default Description
name String Panel name.
eai:data XML document Panel XML definition.


Returned values

Name Description
eai:appName App context for the panel.
eai:data XML definition for the panel.
eai:userName User who created the panel.
label Panel label.
panel.title Panel title.
rootNode XML root node.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/ui/panels -d "name=new_panel&eai:data=<panel><label>the_new_label</label></panel>"

XML Response

<title>panels</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/ui/panels</id>
  <updated>2018-12-17T12:02:57-08:00</updated>
  <generator build="8f0ead9ec3db" version="7.1.1"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/ui/panels/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/ui/panels/_reload" rel="_reload"/>
  <link href="/servicesNS/admin/search/data/ui/panels/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>new_panel</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/ui/panels/new_panel</id>
    <updated>2018-12-17T12:02:57-08:00</updated>
    <link href="/servicesNS/admin/search/data/ui/panels/new_panel" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/ui/panels/new_panel" rel="list"/>
    <link href="/servicesNS/admin/search/data/ui/panels/new_panel/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/ui/panels/new_panel" rel="edit"/>
    <link href="/servicesNS/admin/search/data/ui/panels/new_panel" rel="remove"/>
    <link href="/servicesNS/admin/search/data/ui/panels/new_panel/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">admin</s:key>
            <s:key name="perms"/>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">user</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:data"><![CDATA[<panel><label>the_new_label</label></panel>]]></s:key>
        <s:key name="eai:digest">1c70628bb4aeec0470707e59e1b2d321</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="label">the_new_label</s:key>
        <s:key name="panel.title">new_panel</s:key>
        <s:key name="rootNode">panel</s:key>
      </s:dict>
    </content>
  </entry>



data/ui/views

https://<host>:<mPort>/servicesNS/{user}/{app_name}/data/ui/views

View or create a dashboard source XML definition.

GET

Access all the XML definitions for existing dashboards.


Request parameters
None.

Returned values

Name Description
eai:appName App context for the dashboard.
eai:data XML definition for the dashboard.
eai:type User interface type. For dashboards, this type is view.
eai:userName User who created the dashboard.
isDashboard Boolean value indicating whether the knowledge object is a dashboard.
isVisible Boolean value indicating whether the dashboard is visible.
label Dashboard label.
rootNode XML root node.


Example request and response


XML Request

curl --get -k -u username:password 
https://localhost:8089/servicesNS/admin/search/data/ui/views

XML Response

<title>views</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/ui/views</id>
  <updated>2015-10-08T16:17:03-07:00</updated>
  <generator build="a1c9b18fdcfc" version="6.3.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/ui/views/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/ui/views/_reload" rel="_reload"/>
  <link href="/servicesNS/admin/search/data/ui/views/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title> my_dashboard </title>
    <id>https://localhost:8089/servicesNS/admin/search/data/ui/views/my_dashboard</id>
    <updated>2015-10-08T16:17:03-07:00</updated>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="list"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="edit"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="remove"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">admin</s:key>
            <s:key name="perms"/>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">user</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>eai:type</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>eai:data</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:data"><![CDATA[<dashboard><label>my_dashboard_label</label></dashboard>]]></s:key>
        <s:key name="eai:digest">01778119e0d9352ca0c6eb0aa7f00950</s:key>
        <s:key name="eai:type">views</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="isDashboard">1</s:key>
        <s:key name="isVisible">1</s:key>
        <s:key name="label">my_dashboard_label</s:key>
        <s:key name="rootNode">dashboard</s:key>
      </s:dict>
    </content>
  </entry>


POST

Create a new dashboard source XML definition.


Request parameters

Name Type Default Description
name String Dashboard name.
eai:data XML document Dashboard XML definition.


Returned values

Name Description
eai:appName App context for the dashboard.
eai:data XML definition for the dashboard.
eai:type User interface type. For dashboards, this type is view.
eai:userName User who created the dashboard.
isDashboard Boolean value indicating whether the knowledge object is a dashboard.
isVisible Boolean value indicating whether the dashboard is visible.
label Dashboard label.
rootNode XML root node.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/ui/views -d "name=new_dashboard&eai:data=<dashboard><label>the_new_label</label></dashboard>"

XML Response

<title>views</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/ui/views</id>
  <updated>2015-10-08T15:50:01-07:00</updated>
  <generator build="a1c9b18fdcfc" version="6.3.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/ui/views/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/ui/views/_reload" rel="_reload"/>
  <link href="/servicesNS/admin/search/data/ui/views/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>new_dashboard</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/ui/views/new_dashboard</id>
    <updated>2015-10-08T15:50:01-07:00</updated>
    <link href="/servicesNS/admin/search/data/ui/views/new_dashboard" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/ui/views/new_dashboard" rel="list"/>
    <link href="/servicesNS/admin/search/data/ui/views/new_dashboard/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/ui/views/new_dashboard" rel="edit"/>
    <link href="/servicesNS/admin/search/data/ui/views/new_dashboard" rel="remove"/>
    <link href="/servicesNS/admin/search/data/ui/views/new_dashboard/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">admin</s:key>
            <s:key name="perms"/>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">user</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:data"><![CDATA[<dashboard><label> the_new_label </label></dashboard>]]></s:key>
        <s:key name="eai:digest">533c60e648b7c4733321ae205d2627d8</s:key>
        <s:key name="eai:type">views</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="isDashboard">1</s:key>
        <s:key name="isVisible">1</s:key>
        <s:key name="label">the_new_label</s:key>
        <s:key name="rootNode">dashboard</s:key>
      </s:dict>
    </content>
  </entry>



data/ui/views/{name}

https://<host>:<mPort>/servicesNS/{user}/{app_name}/data/ui/views/{name}

Access or update source XML for an existing dashboard.


GET

Access an existing dashboard XML definition.


Request parameters
None.

Returned values

Name Description
eai:appName App context for the dashboard.
eai:data XML definition for the dashboard.
eai:type User interface type. For dashboards, this type is view.
eai:userName User who created the dashboard.
isDashboard Boolean value indicating whether the knowledge object is a dashboard.
isVisible Boolean value indicating whether the dashboard is visible.
label Dashboard label.
rootNode XML root node.


Example request and response


XML Request

curl -k -u username:password 
https://localhost:8089/servicesNS/admin/search/data/ui/views/my_dashboard

XML Response

<title>views</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/ui/views</id>
  <updated>2015-10-08T16:17:03-07:00</updated>
  <generator build="a1c9b18fdcfc" version="6.3.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/ui/views/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/ui/views/_reload" rel="_reload"/>
  <link href="/servicesNS/admin/search/data/ui/views/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title> my_dashboard </title>
    <id>https://localhost:8089/servicesNS/admin/search/data/ui/views/my_dashboard</id>
    <updated>2015-10-08T16:17:03-07:00</updated>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="list"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="edit"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="remove"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">admin</s:key>
            <s:key name="perms"/>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">user</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>eai:type</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>eai:data</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:data"><![CDATA[<dashboard><label>my_dashboard_label</label></dashboard>]]></s:key>
        <s:key name="eai:digest">01778119e0d9352ca0c6eb0aa7f00950</s:key>
        <s:key name="eai:type">views</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="isDashboard">1</s:key>
        <s:key name="isVisible">1</s:key>
        <s:key name="label">my_dashboard_label</s:key>
        <s:key name="rootNode">dashboard</s:key>
      </s:dict>
    </content>
  </entry>



POST

Update a specific dashboard XML definition.


Request parameters

Name Type Default Description
eai:data XML document Dashboard XML definition.


Returned values

Name Description
eai:appName App context for the dashboard.
eai:data XML definition for the dashboard.
eai:type User interface type. For dashboards, this type is view.
eai:userName User who created the dashboard.
isDashboard Boolean value indicating whether the knowledge object is a dashboard.
isVisible Boolean value indicating whether the dashboard is visible.
label Dashboard label.
rootNode XML root node.

Example request and response


XML Request

curl -k -u username:password https://localhost:8089/servicesNS/admin/search/data/ui/views/my_dashboard -d "eai:data=<dashboard><label>new_label</label></dashboard>"

XML Response

  <title>views</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/ui/views</id>
  <updated>2015-10-08T16:38:23-07:00</updated>
  <generator build="a1c9b18fdcfc" version="6.4.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/ui/views/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/ui/views/_reload" rel="_reload"/>
  <link href="/servicesNS/admin/search/data/ui/views/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title> my_dashboard </title>
    <id>https://localhost:8089/servicesNS/admin/search/data/ui/views/my_dashboard </id>
    <updated>2015-10-08T16:38:23-07:00</updated>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="list"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="edit"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="remove"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">admin</s:key>
            <s:key name="perms"/>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">user</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:data"><![CDATA[<dashboard><label>new_label</label></dashboard>]]></s:key>
        <s:key name="eai:digest">31513ad6cce14b5c792f175cc1691e5e</s:key>
        <s:key name="eai:type">views</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="isDashboard">1</s:key>
        <s:key name="isVisible">1</s:key>
        <s:key name="label">new_label</s:key>
        <s:key name="rootNode">dashboard</s:key>
      </s:dict>
    </content>



DELETE

Delete a specific dashboard XML definition.


Request parameters
None.


Returned values
None.


Example request and response


XML Request

curl -k -u username:password --request DELETE https://localhost:8089/servicesNS/admin/search/data/ui/views/my_dashboard 

XML Response

 <title>views</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/ui/views</id>
  <updated>2015-10-08T17:07:12-07:00</updated>
  <generator build="a1c9b18fdcfc" version="6.3.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/ui/views/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/ui/views/_reload" rel="_reload"/>
  <link href="/servicesNS/admin/search/data/ui/views/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>



datamodel/acceleration (DEPRECATED)

https://<host>:<mPort>/services/datamodel/acceleration

Access information about data models that have acceleration enabled.



datamodel/acceleration/{name} (DEPRECATED)

https://<host>:<mPort>/services/datamodel/acceleration/{name}

Get information about the {name} datamodel.

Note: This endpoint is deprecated.


GET

Get information about a specific data model.


Request parameters
None


Returned values

Name Description
acceleration Indicates if acceleration is enabled for this data model.
acceleration.earliest_time The earliest time to dispatch the search.
search Specifies the search to accelerate this data model.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/services/datamodel/acceleration/simpleMyAppModel

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://myserver-centos62x64-4:8789/services/datamodel/acceleration</id>
  <updated>2013-08-24T12:55:07-07:00</updated>
  <generator build="178272" version="6.0"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>simpleMyAppModel</title>
    <id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel</id>
    <updated>2013-08-24T12:55:07-07:00</updated>
    <link href="/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="acceleration">1</s:key>
        <s:key name="acceleration.earliest_time">-1mon</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:digest">9a9dba7c96b3f81554e3773b8d8fe45e</s:key>
        <s:key name="eai:type">datamodels</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="search"><![CDATA[uri=*  status=*  clientip=*  referer=*  useragent=*  (sourcetype=access_*)  (status < 600)  |
        . . . elided . . .
        "HTTP_Request.HTTP_Success.is_not_Pageview", "HTTP_Request.HTTP_Success.Pageview.myevalfield2"]]>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>



datamodel/model

https://<host>:<mPort>/services/datamodel/model

Access or create data models.


GET

List data models on the server.


Request parameters

Name Type Default Description
concise Boolean Indicates whether to list a concise JSON description of the data model.

The concise description is a summary for human readability. It is not used to create the data model.


Request parameters
Pagination and filtering parameters can be used with this method.


Returned values

Name Description
acceleration Indicates whether acceleration is enabled for the data model.
concise Indicates whether to list a concise JSON description of the data model.
description The JSON describing the data model.
displayName The name displayed for the data model in Splunk Web.
eai:appName The Splunk app in which the data model was created.
eai:userName The name of the user who created the data model.

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/services/datamodel/model

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://myserver-centos62x64-4:8789/services/datamodel/model</id>
  <updated>2013-08-15T11:42:06-07:00</updated>
  <generator build="176231" version="6.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/datamodel/model/_new" rel="create"/>
  <link href="/services/datamodel/model/desc" rel="desc"/>
  <link href="/services/datamodel/model/report" rel="report"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>MyApp</title>
    <id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/model/MyApp</id>
    <updated>2013-08-23T15:03:13-07:00</updated>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="list"/>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="acceleration">{"enabled": false}</s:key>
        <s:key name="description"><![CDATA[{"objects": [{"lineage": "HTTP_Request", "previewSearch": " | search  (sourcetype=access_* OR sourcetype=iis*)
        . . . elided . . .
         "modelName": "MyApp", "displayName": "Web Intelligence"}]]>
        </s:key>
        <s:key name="displayName">Web Intelligence</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>power</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:digest">b8ebd9315dddf8a5e572187f57ddc9de</s:key>
        <s:key name="eai:type">models</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
  . . . elided . . .
</feed>



POST

Create a new data model.


Request parameters

Name Type Default Description
description String JSON description of the data model.
name String Name of the data model.
acceleration String Specify the acceleration settings for the data model. Supply JSON to specify any or all of the following settings.
  • enabled (true or false)
  • earliest_time (time modifier)
  • cron_schedule (cron string)

Example

acceleration= ' {
    "enabled": true, 
    "earliest_time": -1mon, 
    "cron_schedule": 0 */12 * * *
    } '
Hunk data model acceleration settings See description Use these settings to configure acceleration for Hunk data models.
  • hunk.compression_codec
String, case-sensitive.
Specifies the compression codec to be used for the accelerated orc or parquet format files.
For parquet file format, use snappy or gzip.
For orc file format, use snappy or zlib.
  • hunk.dfs_block_size
Unsigned integer
Specifies the block size in bytes for the compression files.
  • hunk.file_format
String, case sensitive.
Valid options are orc and parquet

Example

 
acceleration= ' {
    "hunk.file_format": "orc", 
    "hunk.compression_codec": "snappy" 
    } '


Returned values

None

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/services/datamodel/model -d name=Debugger --data-urlencode description='{"modelName":"Debugger","displayName":"Debugger", "description": "A data model for debugging purposes". . . elided . . . }'

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://qa-sv-rh61x64-10:8089/services/datamodel/model</id>
  <updated>2013-10-16T11:19:24-07:00</updated>
  <generator build="183095" version="6.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/datamodel/model/_new" rel="create"/>
  <link href="/services/datamodel/model/desc" rel="desc"/>
  <link href="/services/datamodel/model/report" rel="report"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>Debugger</title>
    <id>https://qa-sv-rh61x64-10:8089/servicesNS/admin/search/datamodel/model/Debugger</id>
    <updated>2013-10-16T11:19:24-07:00</updated>
    <link href="/servicesNS/admin/search/datamodel/model/Debugger" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/datamodel/model/Debugger" rel="list"/>
    <link href="/servicesNS/admin/search/datamodel/model/Debugger" rel="edit"/>
    <link href="/servicesNS/admin/search/datamodel/model/Debugger" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="acceleration">{"enabled": false}</s:key>
        <s:key name="description">
          <![CDATA[{"displayName": "Debugger", "modelName": "Debugger", "objectSummary": \
        ...
        "autoextractSearch": " (index = _internal) "}]}]]>
        </s:key>
        <s:key name="displayName">Debugger</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          {'optionalFields': ['acceleration', 'acceleration.cron_schedule', \
           'acceleration.earliest_time', 'eai:data'], 'requiredFields': [], 'wildcardFields': []}
        </s:key>
        <s:key name="eai:digest">05ca1a193365a3b613b919c6401591e3</s:key>
        <s:key name="eai:type">models</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



datamodel/model/{name}

https://<host>:<mPort>/services/datamodel/model/{name}

Access, delete, or update the {name} data model.


DELETE

Delete a specific data model.


Request parameters
None


Returned values
None


Example request and response


XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/services/datamodel/model/MyApp

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://myserver-centos62x64-4:8789/services/datamodel/model</id>
  <updated>2013-08-24T15:00:54-07:00</updated>
  <generator build="178272" version="6.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/datamodel/model/_new" rel="create"/>
  <link href="/services/datamodel/model/desc" rel="desc"/>
  <link href="/services/datamodel/model/report" rel="report"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>



GET

Access a specific data model.


Request parameters

Name Type Default Description
concise Boolean Indicates whether to list a concise JSON description of the data model.

The concise description is a summary for human readability. It is not used to create the data model.


Returned values

Name Description
acceleration Indicates whether acceleration is enabled for the data model.
concise Indicates whether to list a concise JSON description of the data model.
description The JSON describing the data model.
displayName The name displayed for the data model in Splunk Web.
eai:appName The Splunk app in which the data model was created.
eai:attributes Field control information.
eai:userName The name of the Splunk user who created the data model.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/services/datamodel/model/MyApp

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://myserver-centos62x64-4:8789/services/datamodel/model</id>
  <updated>2013-08-24T13:07:36-07:00</updated>
  <generator build="178272" version="6.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/datamodel/model/_new" rel="create"/>
  <link href="/services/datamodel/model/desc" rel="desc"/>
  <link href="/services/datamodel/model/report" rel="report"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>MyApp</title>
    <id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/model/MyApp</id>
    <updated>2013-08-24T13:07:36-07:00</updated>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="list"/>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="acceleration">{"enabled": false}</s:key>
        <s:key name="description"><![CDATA[{"modelName": "MyApp", "objectNameList": ["HTTP_Request", "ApacheAccessSearch", "IISAccessSearch",
        . . . elided . . .
        "Interface Implementations": 0, "Search-Based": 1}, "description": "Data model for web analytics.", "displayName": "Web Intelligence"}]]>
        </s:key>
        <s:key name="displayName">Web Intelligence</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>acceleration</s:item>
                <s:item>concise</s:item>
                <s:item>description</s:item>
                <s:item>provisional</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:digest">b8ebd9315dddf8a5e572187f57ddc9de</s:key>
        <s:key name="eai:type">models</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Update a specific data model.


Request parameters


Name Type Default Description
acceleration String Specify the acceleration settings for the data model. Supply JSON to specify any or all of the following settings.
  • enabled (true or false)
  • earliest_time (time modifier)
  • cron_schedule (cron string)

Example

acceleration= ' {
    "enabled": true, 
    "earliest_time": -1mon, 
    "cron_schedule": 0 */12 * * *
    } '
Hunk data model acceleration settings See description Use these settings to configure acceleration for Hunk data models.
  • hunk.compression_codec
String, case-sensitive.
Specifies the compression codec to be used for the accelerated orc or parquet format files.
For parquet file format, use snappy or gzip.
For orc file format, use snappy or zlib.
  • hunk.dfs_block_size
Unsigned integer
Specifies the block size in bytes for the compression files.
  • hunk.file_format
String, case sensitive.
Valid options are orc and parquet

Example

 
acceleration= ' {
    "hunk.file_format": "orc", 
    "hunk.compression_codec": "snappy" 
    } '
description String JSON description of the data model.
provisional Boolean Indicates whether the data model is provisional. Provisional data models are not saved.

Specify true to validate a data model before saving it.

If the endpoint returns with no errors, then specify this endpoint again, with provisional set to false, to save the data model.


Returned values

Name Description
acceleration Indicates whether acceleration is enabled for the data model.
concise Indicates whether to list a concise JSON description of the data model.
description The JSON describing the data model.
displayName The name displayed for the data model in Splunk Web.
eai:appName The Splunk app in which the data model was created.
eai:attributes Field control information.
eai:userName The name of the Splunk user who created the data model.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/services/datamodel/model/MyApp -d concise=true

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://myserver-centos62x64-4:8789/services/datamodel/model</id>
  <updated>2013-08-24T13:35:54-07:00</updated>
  <generator build="178272" version="6.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/datamodel/model/_new" rel="create"/>
  <link href="/services/datamodel/model/desc" rel="desc"/>
  <link href="/services/datamodel/model/report" rel="report"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>MyApp</title>
    <id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/model/MyApp</id>
    <updated>2013-08-24T13:35:54-07:00</updated>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="list"/>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="acceleration">{"enabled": false, "earliest_time": "-1mon"}</s:key>
        <s:key name="description"><![CDATA[{"modelName": "MyApp", "objects": [{"constraints": [{"search": "sourcetype=access_* OR
        . . . elided . . .
        "PodcastDownload", "WebSession", "User"], "description": "Data model for web analytics."}]]>
        </s:key>
        <s:key name="displayName">Web Intelligence</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">{'wildcardFields': [], 'requiredFields': [], 'optionalFields': ['acceleration', 'acceleration.cron_schedule', 'acceleration.earliest_time', 'eai:data']}</s:key>
        <s:key name="eai:digest">d73ff2d833e3104eed99a8fd258dbae1</s:key>
        <s:key name="eai:type">datamodels</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



datamodel/pivot

https://<host>:<mPort>/services/datamodel/pivot/{name}

Access pivots that are based on named data models.


GET

Get information about a specific pivot.

Usage details
{name} refers to a data model on the system.

Specify a pivot using either the pivot_search or pivot_json parameter.


Request parameters

Name Type Default Description
pivot_json String JSON specifying a pivot based on the named data model.

Typically, you URL encode this parameter.

This endpoint requires either this pivot_json parameter or a pivot_search parameter.

pivot_search String A pivot search command based on the named data model.

Typically, you URL encode this parameter.

This endpoint requires either a pivot_json or this pivot_search parameter.


Returned values

Name Description
drilldown_search The search for running this pivot report using drilldown
open_in_search Equivalent to search parameter, but listed more simply.
pivot_json JSON specifying a pivot based on the named data model.
pivot_search A pivot search command based on the named data model.
search The search string for running the pivot report
tstats_search The search for running this pivot report using tstats


Example request and response


XML Request

curl -k -u admin:pass -G https://localhost:8089/services/datamodel/pivot/Authentication --data-urlencode pivot_search='| pivot Authentication Untagged_Authentication count(Untagged_Authentication) AS "Count of Untagged Authentication (S.o.S)"'

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://localhost:8089/services/datamodel/pivot</id>
  <updated>2013-08-26T15:07:57-07:00</updated>
  <generator build="178683" version="20130826"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>Authentication</title>
    <id>https://localhost:8089/servicesNS/nobody/search/datamodel/pivot/Authentication</id>
    <updated>2013-08-26T15:07:57-07:00</updated>
    <link href="/servicesNS/nobody/search/datamodel/pivot/Authentication" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/datamodel/pivot/Authentication" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="drilldown_search">| search (login OR "log in" OR authenticated) sourcetype!=stash NOT tag=authentication | stats count AS "Count of Untagged Authentication (S.o.S)"  | fields , "Count of Untagged Authentication (S.o.S)"| fillnull "Count of Untagged Authentication (S.o.S)"</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>is_pivot_command</s:item>
                <s:item>namespace</s:item>
                <s:item>pivot_json</s:item>
                <s:item>pivot_search</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:digest">e74d56a3b4a25256028f3a236e3d2cbc</s:key>
        <s:key name="eai:type">models</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="open_in_search">| search (login OR "log in" OR authenticated) sourcetype!=stash NOT tag=authentication | stats count AS "Count of Untagged Authentication (S.o.S)"  | fields , "Count of Untagged Authentication (S.o.S)"| fillnull "Count of Untagged Authentication (S.o.S)"</s:key>
        <s:key name="pivot_json"><![CDATA[{"rowFormat": {"showSummary": false}, "cells": [{"label": "Count of Untagged Authentication (S.o.S)", "value": "count", "fieldName": "Untagged_Authentication", "type": "objectCount", "owner": "Untagged_Authentication"}], "filters": [], "modelName": "Authentication", "baseClass": "Untagged_Authentication", "rows": [], "columns": [], "colFormat": {"showSummary": false, "showOther": true}}]]></s:key>
        <s:key name="pivot_search">| pivot Authentication Untagged_Authentication count(Untagged_Authentication) AS "Count of Untagged Authentication (S.o.S)"</s:key>
        <s:key name="search">| search (login OR "log in" OR authenticated) sourcetype!=stash NOT tag=authentication | stats count AS "Count of Untagged Authentication (S.o.S)"  | fields , "Count of Untagged Authentication (S.o.S)"| fillnull "Count of Untagged Authentication (S.o.S)"</s:key>
        <s:key name="tstats_search"></s:key>
      </s:dict>
    </content>
  </entry>
</feed>




directory

https://<host>:<mPort>/services/directory

Access user configurable objects.

These objects includes search commands, UI views, UI navigation, saved searches and event types. This is useful to see which objects are provided by all apps, or a specific app when the call is namespaced.


GET

List app-scoped objects.

Usage details
Returns an enumeration of the following app scoped objects.

* event types
* saved searches
* time configurations
* views
* navs
* manager XML
* quickstart XML
* search commands
* tags
* field extractions
* lookups
* workflow actions
* field aliases
* sourcetype renames 

This is useful to see which apps provide which objects, or all the objects provided by a specific app. To change the visibility of an object type in this listing, use the showInDirSvc setting in restmap.conf.


Request parameters

Pagination and filtering parameters can be used with this method.


Returned values

None


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/directory

XML Response

<feed xmlns="http://www.w3.org/2005/Atom" 
  xmlns:s="http://dev.splunk.com/ns/rest" 
  xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>directory</title>
  <id>https://localhost:8089/services/directory</id>
  <updated>2011-05-16T19:03:40-0700</updated>
  <generator version="98144"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>_admin</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/ui/views/_admin</id>
    <updated>2011-05-16T19:03:40-0700</updated>
    <link href="/servicesNS/nobody/system/data/ui/views/_admin" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/ui/views/_admin" rel="list"/>
    <link href="/servicesNS/nobody/system/data/ui/views/_admin/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/ui/views/_admin" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="eai:type">views</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>abc</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/ui/views/abc</id>
    <updated>2011-05-16T19:03:40-0700</updated>
    <link href="/servicesNS/nobody/search/data/ui/views/abc" rel="alternate"/>
    <author>
      <name>ssorkin</name>
    </author>
    <link href="/servicesNS/nobody/search/data/ui/views/abc" rel="list"/>
    <link href="/servicesNS/nobody/search/data/ui/views/abc/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/ui/views/abc" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="eai:type">views</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



directory/{name}

https://<host>:<mPort>/services/directory/{name}

Get information about the {name} directory entity.

Usage details
This is rarely used. Typically after using the directory service enumeration, a client follows the specific link for an object in an enumeration.

GET

Get information about a specific directory entity.


Request parameters
None


Returned values

Name Description
eai:type Entity type.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/directory/dashboard_live

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>directory</title>
  <id>https://localhost:8089/services/directory</id>
  <updated>2011-05-16T19:09:59-0700</updated>
  <generator version="98144"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>dashboard_live</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/ui/views/dashboard_live</id>
    <updated>2011-05-16T19:09:59-0700</updated>
    <link href="/servicesNS/nobody/search/data/ui/views/dashboard_live" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/ui/views/dashboard_live" rel="list"/>
    <link href="/servicesNS/nobody/search/data/ui/views/dashboard_live/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/ui/views/dashboard_live" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
            <s:dict>
                <s:key name="optionalFields">
                    <s:list/>
                </s:key>
                <s:key name="requiredFields">
                    <s:list/>
                </s:key>
                <s:key name="wildcardFields">
                    <s:list/>
                </s:key>
            </s:dict>
        </s:key>
        <s:key name="eai:type">views</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



saved/eventtypes

https://<host>:<mPort>/services/saved/eventtypes

Access or create an event type.

GET

Retrieve saved event types.


Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
description Description of this event type.
disabled Indicates if the event type is disabled.
eai:appName The Splunk app for which this event type applies. For example, the Splunk search app.
eai:userName Splunk user name of the creator of this event type. For example, the Splunk admin user.
priority The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
search Search terms for this event type.
tags [Deprecated] Tags associated with this event type.

Use the tags.conf.spec file to assign tags to groups of events with related field values.

Returned values


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:46:52-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>internal_search_terms</title>
    <id>https://localhost:8089/servicesNS/nobody/system/saved/eventtypes/internal_search_terms</id>
    <updated>2011-07-10T23:46:52-07:00</updated>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms" rel="list"/>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms" rel="edit"/>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description"/>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="priority">1</s:key>
        <s:key name="search">
<![CDATA[( "After evaluating args" OR "Before evaluating args" OR "context dispatched for search=" OR "SearchParser - PARSING" OR "got search" OR "_dispatchNewSearch - search" OR "search:* - q" OR ( decomposition fullsearch ) OR "PAAAAAARSER! - search" OR "view:* - DECOMPOSITION" OR "Splunk.Module.SearchBar .setInputField" OR ( typeahead prefix ) OR "DEBUG HTTPServer - Deleting request=GET" OR /en-US/api/search/typeahead )]]>        </s:key>
        <s:key name="tags">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>


POST

Create an event type.


Request parameters

Name Type Default Description
name String The name for the event type.
search String Search terms for this event type.
description String Human-readable description of this event type.
disabled Boolean 0 If True, disables the event type.
priority Number 1 Specify an integer from 1 to 10 for the value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
tags String [Deprecated] Use tags.conf.spec file to assign tags to groups of events with related field values.


Returned values

Name Description
description Description of this event type.
disabled Indicates if this event type is disabled.
eai:appName The Splunk app for which this event type applies. For example, the Splunk search app.
eai:userName Splunk user name of the creator of this event type. For example, the Splunk admin user.
priority The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
search Search terms for this event type.
tags [Deprecated] Tags associated with this event type.

Use tags.conf.spec file to assign tags to groups of events with related field values.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes -d name="client-errors" --data-urlencode search=search="http client error NOT (403 OR 404)"

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:47:10-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>client-errors</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors</id>
    <updated>2011-07-10T23:47:10-07:00</updated>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="list"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="edit"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="remove"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/move" rel="move"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description"/>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="priority">1</s:key>
        <s:key name="search">search</s:key>
        <s:key name="tags">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>



saved/eventtypes/{name}

https://<host>:<mPort>/services/saved/eventtypes/{name}


Manage the {name} event type.


DELETE

Delete an event type.


Request parameters

None

Returned values

None

Example request and response


XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:48:29-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



GET

Access the {name} event type.

Requets parameters
None

Returned values

Name Description
description Description of this event type.
disabled Indicates if the event type is disabled.
eai:appName The Splunk app for which this event type applies. For example, the Splunk search app.
eai:attributes Field control information.
eai:userName Splunk user name of the creator of this event type. For example, the Splunk admin user.
priority The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
search Search terms for this event type.
tags [Deprecated] Tags associated with this event type.

Use the tags.conf.spec file to assign tags to groups of events with related field values.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:47:17-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>client-errors</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors</id>
    <updated>2011-07-10T23:47:17-07:00</updated>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="list"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="edit"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="remove"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/move" rel="move"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description"/>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>description</s:item>
                <s:item>disabled</s:item>
                <s:item>priority</s:item>
                <s:item>tags</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>search</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="priority">1</s:key>
        <s:key name="search">search</s:key>
        <s:key name="tags">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Update an event type.

Usage details
The search must be re-specified for this edit.

URI-encode the search string if it contains any of the following characters: =, &, ?, %

If the search string is not URI-encoded, these characters can be interpreted as part of the HTTP request.


Request parameters

Name Type Default Description
search String Search terms for this event type.
description String Human-readable description of this event type.
disabled Boolean 0 If True, disables the event type.
priority Number 1 Specify an integer from 1 to 10 for the value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
tags String [Deprecated] Use tags.conf.spec file to assign tags to groups of events with related field values.


Returned values

Name Description
description Description of this event type.
disabled Indicates if this event type is disabled.
eai:appName The Splunk app for which this event type applies. For example, the Splunk search app.
eai:userName Splunk user name of the creator of this event type. For example, the Splunk admin user.
priority The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
search Search terms for this event type.
tags [Deprecated] Tags associated with this event type.

Use tags.conf.spec file to assign tags to groups of events with related field values.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors -d description="HTTP Client Errors" --data-urlencode search=search="http client error NOT (403 OR 404)"

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:48:22-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>client-errors</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors</id>
    <updated>2011-07-10T23:48:22-07:00</updated>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="list"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="edit"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="remove"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/move" rel="move"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description">HTTP Client Errors</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="priority">1</s:key>
        <s:key name="search">search</s:key>
        <s:key name="tags">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>



search/fields

https://<host>:<mPort>/services/search/fields

Access search field configurations.

Usage details
Field configuration is specified in $SPLUNK_HOME/etc/system/default/fields.conf, with overriden values in $SPLUNK_HOME/etc/system/local/fields.conf.


GET

Get a list of fields registered for field configuration.

Request parameters

None

Returned values
None


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>Fields</title>
  <id>/servicesNS/admin/search/search/fields</id>
  <updated>2011-07-11T10:04:51-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>_indextime</title>
    <id>/servicesNS/admin/search/search/fields/_indextime</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/_indextime" rel="alternate"/>
  </entry>
  <entry>
    <title>_sourcetype</title>
    <id>/servicesNS/admin/search/search/fields/_sourcetype</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/_sourcetype" rel="alternate"/>
  </entry>
  <entry>
    <title>date_hour</title>
    <id>/servicesNS/admin/search/search/fields/date_hour</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/date_hour" rel="alternate"/>
  </entry>

  . . . elided . . .

  <entry>
    <title>splunk_server</title>
    <id>/servicesNS/admin/search/search/fields/splunk_server</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/splunk_server" rel="alternate"/>
  </entry>
  <entry>
    <title>timeendpos</title>
    <id>/servicesNS/admin/search/search/fields/timeendpos</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/timeendpos" rel="alternate"/>
  </entry>
  <entry>
    <title>timestartpos</title>
    <id>/servicesNS/admin/search/search/fields/timestartpos</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/timestartpos" rel="alternate"/>
  </entry>
</feed>



search/fields/{field_name}

https://<host>:<mPort>/services/search/fields/{field_name}

Access the {field_name} field.


GET

Get information about the {field_name} field.


Request parameters

None

Returned values
None


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields/sourcetype

XML Response

<entry xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype</title>
  <id>/servicesNS/admin/search/search/fields/sourcetype</id>
  <updated>2011-07-11T10:08:54-07:00</updated>
  <link href="/servicesNS/admin/search/search/fields/sourcetype" rel="alternate"/>
  <content type="text">	Attr:INDEXED	True
	Attr:INDEXED_VALUE	False
	Attr:TOKENIZER	
</content>
</entry>



search/fields/{field_name}/tags

https://<host>:<mPort>/services/search/fields/{field_name}/tags

Access or update the tags associated with the {field_name} field.


GET

Get tags associated with the {field_name} field.

Request parameters
None

Returned values
None


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields/host/tags

XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>Tags for the host field</title>
  <id>/servicesNS/admin/search/search/fields/host/tags</id>
  <updated>2011-07-11T10:41:46-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>location::sfo</title>
    <id>/servicesNS/admin/search/search/fields/host/tags#location::sfo</id>
    <updated>2011-07-11T10:41:46-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/host/tags#location::sfo" rel="alternate"/>
  </entry>
</feed>



POST

Update tags associated with the {field_name} field.

Usage details
The value parameter specifies the specific value on which to bind tag actions. Multiple tags can be attached by passing multiple add or delete form parameters. The server processes all of the adds first, and then processes the deletes.

You must specify at least one add or delete parameter.


Request parameters

Name Type Default Description
value String The specific field value on which to bind the tags.
add String The tag to attach to this field_name:value combination.
delete String The tag to remove to this field_name::value combination.


Returned values
None


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields/host/tags -d add=sfo -d delete=nyc -d value=location

XML Response

<response>
  <messages>
    <msg type='INFO'>Successfully processed adds/deletes for field host</msg>
  </messages>
</response>



search/tags

https://<host>:<mPort>/services/search/tags

Access search time tags.


GET

List all search time tags.

Request parameters

None

Returned values
None


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/tags

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>Tags</title>
  <id>/servicesNS/admin/search/search/tags</id>
  <updated>2011-07-08T01:35:09-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>machine</title>
    <id>/servicesNS/admin/search/search/tags/machine</id>
    <updated>2011-07-08T01:35:09-07:00</updated>
    <link href="/servicesNS/admin/search/search/tags/machine" rel="alternate"/>
  </entry>
  <entry>
    <title>user</title>
    <id>/servicesNS/admin/search/search/tags/user</id>
    <updated>2011-07-08T01:35:09-07:00</updated>
    <link href="/servicesNS/admin/search/search/tags/user" rel="alternate"/>
  </entry>
</feed>



search/tags/{tag_name}

https://<host>:<mPort>/services/search/tags/{tag_name}

Access, update, or delete {tag_name} values.


DELETE

Delete the tag and its associated field:value pair assignments.

Usage details
When a tag is deleted, field:value pairs are set to disabled in tags.conf.


Request parameters
None

Returned values
None

Example request and response


XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/search/tags/user

XML Response

<response>
  <messages>
    <msg type="INFO">Tag successfully deleted</msg>
  </messages>
</response>



GET

Returns a list of field:value pairs associated with the {tag_name} tag.

Request parameters
None

Returned values
None

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/tags/user

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>Field::Value pairs with tag user</title>
  <id>/servicesNS/admin/search/search/tags/user</id>
  <updated>2011-07-08T01:35:28-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>eventtype::userupdate</title>
    <id>/servicesNS/admin/search/search/tags/user#eventtype::userupdate</id>
    <updated>2011-07-08T01:35:28-07:00</updated>
    <link href="/servicesNS/admin/search/search/tags/user#eventtype::userupdate" rel="alternate"/>
  </entry>
</feed>



POST

Update the field:value pairs associated with the {tag_name} tag.

Usage details
Multiple field:value pairs can be attached by passing multiple add or delete form parameters. The server processes all of the adds first, and then deletes.

If {tag_name} does not exist, then the tag is created inline. Notification is sent to the client using the HTTP 201 status.

Request parameters

Name Type Default Description
add String A field:value pair to tag with {tag_name}.
delete String A field:value pair to remove from {tag_name}.


Returned values
None

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/tags/user -d add=eventtype::userupdate -d delete=eventtype::useradd-suse

XML Response

<response>
  <messages>
    <msg type="INFO">Processed adds/deletes for tag</msg>
  </messages>
</response>



Last modified on 12 January, 2021
Introspection endpoint descriptions   KV store endpoint descriptions

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters